On Thu, Apr 20, 2000 at 04:17:54PM -0400, Mark E. Drummond wrote:
> Jochen Kaiser wrote:
> >
> > So you forbid ssh? Port 22? I just take another one and keep smiling
> > at your firewall. Changing the ports is as easy as tunneling.
>
> Wrong. An application proxy will analyze packet contents and nix
> anything that is not cosher with the expected protocol. Including
> unintelligle "encrypted" traffic.
>
HMM?
No application proxy can prevent tunneling. Look: my tunnel just breaks
the rules and hides his control commands in the data of the allowed protocol.
What are you doing against it? Answer: nothing!
This isn't any high level wizardry. Such programms are available easily
on appropriate sites.
Blocking internal traffic is often a stupid idea because it motivates
users to break out of your control. If one of your users
establish a tunnel through a firewall, then often he needs to start two
progs, one inside and one outside.
If the user isn't a supreme user, then he may configure it wrongly and
therefore open a two way tunnel in both directions.
This is called security by obscurity.
with kind regards,
Jochen Kaiser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
